First of all, what do you mean by 'random' - is there any pattern you can discern? Any specific domains associated with the addresses? Are the destination ports consistent?
Second, can you get any packet captures? Does NETSTAT/NBTSTAT show anything?
Windows systems tend to be chatty Kathys, and 445 is one their favorite ports - with 135 being right in there, thanks to DCOM/RPC.
-EdTr.
-----Original Message-----
From: "Walzer, Jeff" <Jeff.Walzer at dcsg.com>
Date: Fri, 2 Dec 2005 16:19:10
To:<list at lists.dshield.org>
Subject: [Dshield] PC exhibiting weird behavior
I have a W2K PC that I see sending occasional traffic to random IP
addresses from ports 135 and 445. I have done a complete virus scan and
it's clean, but I'm unable to figure out why it's trying to send from
ports 135 and 445 to random IP address. Any ideas as to what to do next?
Thanks...
_________________________________________
Using .Net? Need to know more about .Net Security?
http://isc.sans.org/banner_count.php?dest=dotnet
_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
Cheers,
-E D Truitt
Sent via my BlackBerry from Cingular Wireless